Ubuntu
network-manager package

Please enhance NetworkManager such that DNSSEC validation is done whenever possible

Bug #995332 reported by Malcolm Scott
288
This bug affects 7 people
Affects Status Importance Assigned to Milestone
dnsmasq (Ubuntu)
Invalid
Wishlist
Unassigned
network-manager (Ubuntu)
Triaged
Wishlist
Unassigned

Bug Description

Network Manager in Precise uses a local forwarding DNS server (dnsmasq). This does not perform DNSSEC validation, although it is configured to proxy the DNSSEC validation result from the upstream server, for which the manpage mentions the following caveat:

"You should only do this if you trust all the configured upstream nameservers and the network between you and them."

Since not all networks or upstream DNS servers are trustworthy, the safest place to perform DNSSEC validation is on the client. Using a local DNS server which cannot validate is a missed opportunity; by replacing dnsmasq with a more-capable DNS server (e.g. Unbound) security against DNS poisoning and MITM attacks could be improved.

Malcolm Scott (malcscott)
visibility: private → public
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

This wouldn't really be different that=n using libc for resolving, so I don't think it really qualifies as a security issue.

You can still perform DNSSEC validation, which is the actual difference from if DNSSEC proxying wasn't supported by dnsmasq. Granted, it doesn't automatically do the validation itself, but neither do most programs (or libc).

Should you want to have DNSSEC validation on your system for now, you might want to install the DNSSEC Validator plugin for Firefox.

It definitely should be done, but this will depend on work upstream or by developers. In other words, patches welcome, for fixing dnsmasq itself.

We may look into adding support for unbound as a resolver in NM; to be determined.

Changed in network-manager (Ubuntu):
status: New → Triaged
importance: Undecided → Wishlist
Changed in dnsmasq (Ubuntu):
importance: Undecided → Wishlist
status: New → Triaged
Thomas Hood (jdthood)
Changed in dnsmasq (Ubuntu):
status: Triaged → Invalid
summary: - Validate DNSSEC by default
+ Please enhance NetworkManager such that DNSSEC validation is done
+ whenever possible
Revision history for this message
Renne (renne) wrote :

Dnsmasq supports validating DNSSEC since version 2.69, Bugs have been fixed since version 2.71.

Please update Ubuntu packages to 2.71 and compile with DNSSEC support (see http://www.thekelleys.org.uk/dnsmasq/CHANGELOG)!

Revision history for this message
Renne (renne) wrote :

Do NOT use DNSSEC-proxy function of Dnsmasq. The validation is done on a resolver in the internet. Any attacker can use a Man-In-The-Middle attack between the DNSSEC-resolver in the internet and Dnsmasq to manipulate the DNSSEC data. Proxying the DO-/AD-bit lulls the user into a FALSE sense of security.

DNSSEC-proxying is highly INSECURE!

Revision history for this message
Andreas Schildbach (schildbach) wrote :

Does anyone have instructions for how to configure this by hand on a desktop Ubuntu vivid or wily installation?

Revision history for this message
Nicolas Delvaux (malizor) wrote :

On Wily, I edited /etc/dnsmasq.d/network-manager and added the following lines:

# DNSSEC setup
dnssec
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
dnssec-check-unsigned

I then restarted network-manager and tried to connect to http://www.dnssec-failed.org/.
As expected, the site does not load (it is deliberately configured to fail DNSSEC validation).
But when reloading the page multiple-time, it is sometime displayed! I don't understand why.

Revision history for this message
Nicolas Delvaux (malizor) wrote :

For some reason, subsequent DNS queries do not always bring the same result here with the above configuration:

First queries after a reboot return what's expected:

nicolas@nicolas-desktop:~ 0 $ dig www.dnssec-failed.org

; <<>> DiG 9.9.5-11ubuntu1.1-Ubuntu <<>> www.dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32530
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.dnssec-failed.org. IN A

;; Query time: 127 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Sat Jan 02 13:11:49 CET 2016
;; MSG SIZE rcvd: 50

And then, suddenly:

nicolas@nicolas-desktop:~ 0 $ dig www.dnssec-failed.org

; <<>> DiG 9.9.5-11ubuntu1.1-Ubuntu <<>> www.dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21156
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.dnssec-failed.org. IN A

;; ANSWER SECTION:
www.dnssec-failed.org. 3407 IN A 69.252.193.191
www.dnssec-failed.org. 3407 IN A 68.87.109.242

;; Query time: 12 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Sat Jan 02 13:11:50 CET 2016
;; MSG SIZE rcvd: 82

Do someone have an idea of what is going on?

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.